REQ: Integration of 1P and RSA SecurID

Smudge
Smudge
Community Member

I would like to put in a request for RSA SecurID integration within 1Password. I found a couple of forum threads from 2011 discussing TOTP where RSA SecurID was mentioned but not much more.

Your developers would need to use the SecurID SDK to receive the OTP tokencode. RSA offers the SDKs for free and they are available for Mac, Windows, iOS, and Android. They also offer a free trial of the SecurID token system.

I'm using the SDK now on my Mac and it is working but it is not very secure and is a multi-step process that can fail (keyboard macro utility calls a bash script that runs a process to collect the PIN from my keychain, sends the PIN to the SecurID process, receives the tokencode, creates an Applescript string with the tokencode as keypress codes, then calls osascript to run the script string as AppleEvents). As you can imagine, having all of this done by 1P would be so much better.

One drawback is that the Token Storage Device (the SecurID internal database) which is encoded with details of the system, like hostname, disk storage location, user account unique ID, etc. therefore it is tied to a specific device and most companies don't authorize multiple tokens for an employee to be used on multiple devices. This would mean that even though 1P is available on multiple devices for a user, it would only generate the proper code when 1P is used on the specific device.

An option to look into, and you might have to work directly with RSA for this, is to have the ability of the Token Storage Device (the SecurID internal database) be created within the 1P vault instead of on the device's file system. This would allow the token to be used by any 1P application.

Thanks


1Password Version: 6.1
Extension Version: Not Provided
OS Version: OS X 10.11.6, iOS 9.3.4, Windows 7
Sync Type: Not Provided

«1

Comments

  • Hi @Smudge ,

    Thanks for taking the time to write in with your detailed request, especially with the caveats and challenges that may be faced. I can certainly see how handy having SecurID implemented directly within 1Password would be useful. We have a request open with our development team to investigate SecurID integration. While I don't have any information for you today, I can see we will discuss it for future consideration.

    Cheers,
    Kevin

    ref: OPI-2899

  • vplewis
    vplewis
    Community Member

    @Smudge FYI, there's an app for that. VIP Access is available for both the iPad and iPhone (plus Apple Watch). It provides the 6-digit numeric necessary to to complete my logon to E*Trade, for instance. Don't think it's available for the Mac yet. HTH

  • Drew_AG
    Drew_AG
    1Password Alumni

    Thanks @vplewis! :)

  • nununo
    nununo
    Community Member

    Any news on this?
    I also use RSA SecurID and would love to get rid of it and use 1P for my VPN login instead.
    Thanks.

  • Pilar
    Pilar
    1Password Alumni

    Hi @nununo

    We have it on our tracker, but we don't have any update for it just yet. Stay around to see what gets implemented in 1Password :chuffed:

  • nununo
    nununo
    Community Member

    Thanks. I am subscribed to this thread so I hope it gets announced here in case I don't see it in the release notes.

  • Pilar
    Pilar
    1Password Alumni

    Hi @nununo

    You're welcome :chuffed: Thank you very much for your patience!

  • abjarna
    abjarna
    Community Member

    +1 for this request. I would love to have RSA SecurID implemented in 1Password as well. My online bank requires me to use that to login. But I just hate having to use the RSA app for only that one login, and then 1password for everything else :/

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for letting us know you'd like us to add that feature! :)

  • dexterpeters
    dexterpeters
    Community Member

    I would love to see this too. It's would be so much more convenient if I could store it in 1Password rather than having a separate app for a single website.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for letting us know. I've passed your request onto the team. :)

  • lerokie
    lerokie
    Community Member

    +1 for this request!
    Please add RSA SecureID support to 1Password!

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's something we can consider adding in the future. Cheers! :)

  • nuvs
    nuvs
    Community Member

    Adding my voice, too. Pretty please? :smile:

  • AGAlumB
    AGAlumB
    1Password Alumni

    Not something we're going to do at this time, but thanks for letting us know it's something you'd be interested in down the line. :)

  • bdurham
    bdurham
    Community Member
    edited January 2018

    Please reconsider this request. The RSA apps are not user friendly and the lack of RSA functionality minimizes the value of 1Password's all-in-one advantage. Thank you.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @bdurham! I'm not sure I'd say it "minimizes" 1Password's value, but I can certainly see that it reduces it for those of you who need a SecurID solution as well as the features offered by 1Password already. We've got quite a bit on our collective plates just now, with the upcoming release of 1Password 7 across all platforms, as well as the ongoing refinements to 1password.com and the client integrations, but we haven't forgotten about this. It's still on our list of requested features, so thanks for weighing in and reminding us. :)

  • bdurham
    bdurham
    Community Member

    @Lars: Thanks for keeping an RSA SecurID capability on the list of requested features ... making 1Password the goto place for all styles of logins.

  • Lars
    Lars
    1Password Alumni

    @bdurham: I want to make sure I'm not spreading false hope here: while this is literally still on our list, that doesn't necessarily mean we'll absolutely be doing it. It means we think enough of the idea that we don't reject it out of hand (which happens with some of the less-feasible requests we get)...but I would still put this one squarely in the "someday maybe" category: we know there's a slice of our user base who would really like/benefit from this. And it's a good idea. The trouble can sometimes be: there's a lot of good ideas, and only so many developer-hours in a week, plus other priorities/updates/bug fixes, etc. It's not an exact science, by any means. And I hope you'll get a pleasant surprise one morning...but I want to make sure I've been clear that we're not promising it at this point. Thanks again for caring enough about the future of 1Password that you stopped by to make your wishes known -- we really appreciate that.

  • bdurham
    bdurham
    Community Member

    @Lars: Thanks for taking the time to clarify where this request fits into the overall enhancement strategy. I understand and appreciate the transparency. One way to fund this type of enhancement might be to offer this SecurID functionality as part of a future 1Password Professional or Business User plan. SecurID is obviously not a priority for many individuals or families ... but its an annoying requirement in many business environments. I would be happy to pay more for SecurID functionality. Perhaps there are other features that apply to the business market that could be bundled into such an offering, eg. special features for SSL certs, SSH keys, business encryption keys, etc (although I suspect the current product already handles these needs pretty well).

  • Lars
    Lars
    1Password Alumni

    @bdurham - I agree on essentially all points there.

    ...offer this SecurID functionality as part of a future 1Password Professional or Business User plan.

    That plan already exists, and it's called 1Password Teams. There are already a number of features that exist there which aren't part of any other 1Password setup. Things like advanced user permissions control, Duo integration, and various other business-specific features are available there. And 1Password Teams is already priced accordingly. If you're looking for 1Password for a business or organization, you'll definitely want to check that out.

    Our development cycle may seem a little longer than some other apps, but that's because we have to be certain that ANYTHING we do, any feature we add, is as secure as we can make it. All software has bugs, including 1Password, but we do everything we can to ensure there aren't any security-related bugs. As a result, adding new features can sometimes feel like it's taking longer than perhaps a quick glance might indicate would seem necessary for a given feature, even with the additional resources that go into the 1Password Teams solution. In the past year, we've added a command line interface (now on version 0.2!), launched 1Password X for Chrome and Linux and much more. This is starting to sound like a list of excuses for why we've not worked on SecurID, so I'll stop because that's not my intention at all. It's merely to reiterate that new features development continues apace, especially in the 1Password Teams sector, so don't be surprised if the SecurID issue gets addressed at some point in the not-too-distant future. Cheers! :)

  • bdurham
    bdurham
    Community Member

    @Lars: All good! Thanks again for sharing. I'm a big fan of 1Password so please accept my feedback as suggestions vs complaints. Rock on!

  • Lars
    Lars
    1Password Alumni

    @bdurham

    I'm a big fan of 1Password so please accept my feedback as suggestions vs complaints.

    Both are valid things, but I will say that after you do this for a while, you begin to get a pretty good sense of who's making helpful suggestions. You were clearly in that category, in my mind. :)

    Thanks for the kind words, and the same to you -- literally. Around here, we're of the opinion that it is you guys - all 1Password users, but in particular, the ones that take their personal time to show up and engage in this kind of constructive conversation and offer suggestions for what they'd like to see in 1Password in the future - who truly rock. Everyone here, from Dave and Roustem to the newest hire, feels very grateful to have such an engaged and savvy community of users. Not all developers are so fortunate, and we treasure every bit of feedback because it keeps us abreast of what people in the "real world" want, and reminds us to keep pushing forward to make 1Password the best it can be. Thanks for taking some of your time to be part of that. :) Have a great rest of your week!

  • lerokie
    lerokie
    Community Member

    Hi guys, and Pilar,

    Just checking in... Every time I have to login to my work computer from home I wish for this feature in 1P. I just subscribed and upgraded to 1P7, and still hoping to get this feature added soon...

    Thank you for making awesome software for all of us to use.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @lerokie: Thanks for following up! We don't use anything from RSA, but you can enable two-factor authentication on your account. I hope this helps. Be sure to let me know if you have any other questions! :)

  • senseisimple
    senseisimple
    Community Member

    This would be pretty great. It would require that we provide the RSA device binding string (i.e. "http://127.0.0.1/securid/ctf?ctfData=00000000...." and a pin).

    It shouldn't be too difficult to implement as the open source "stoken" package does this reliably and can be used on several devices at once, all of them always generating the same correct token. Generally the RSA SecurID requires a pin to generate a soft-token which can be stored in stoken and instead assign a password (or no auth; simply run the stoken command or open the GUI).

    Instead of the 6 digit token the RSA hardware key generates (and is entered on an auth page as PIN000000), a soft token is 8 digits and presumably includes the pin as part of its extra two digits since a pin on the receiving end is not required at that point.

    https://github.com/cernekee/stoken/blob/master/src/securid.c
    https://github.com/cernekee/stoken/blob/master/src/securid.h

  • AGAlumB
    AGAlumB
    1Password Alumni

    Nothing is too difficult when someone else has to do the work. :lol: But in all seriousness, we don't currently have plans to add support for this, as we're working on a lot of other stuff that's received greater interest and therefore will benefit more people. It's possible that could change in the future though, so it's good to know you'd like us to add a feature supporting this proprietary option. Cheers! :)

  • robmaceachern
    robmaceachern
    Community Member

    +1 This would be a nice feature to have.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @robmaceachern! Thanks for adding your voice to this. :) :+1:

  • devinitelybk
    devinitelybk
    Community Member

    +1 on this feature request

This discussion has been closed.